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Abstract — This paper introduces an efficient and spontaneous 
privacy-preserving protocol for vehicular ad-hoc networks based 
on revocable ring signature. The proposed protocol has three 
appealing characteristics: First, it offers conditional privacy- 
preservation: while a receiver can verify that a message issuer is 
an authorized participant in the system only a trusted authority 
can reveal the true identity of a message sender. Second, it 
is spontaneous: safety messages can be authenticated locally, 
without support from the roadside units or contacting other 
vehicles. Third, it is efficient by offering fast message authen- 
tication and verification, cost-effective identity tracking in case 
of a dispute, and low storage requirements. We use extensive 
analysis to demonstrate the merits of the proposed protocol and 
to contrast it with previously proposed solutions. 

I. Introduction 

Each year, over six million crashes occur on U.S. highways. 
These accidents kill more than 42,000 people, injure three 
million others, and cost more than $230 billion per year[l]. 
To reduce the number and the severity of these crashes 
and to improve driving experience, car manufactures and the 
telecommunication industry recently have geared up to equip 
each vehicle with wireless devices that allow vehicles to 
communicate with each other as well as with the roadside 
infrastructure [2], [4]. These wireless communication devices 
installed on vehicles, also known as onboard units (OBUs), and 
the roadside units (RSUs), form a self-organized Vehicular Ad 
Hoc Network (VANET)[5], [10]. VANETs inherently provide 
a way to collect traffic and road information from vehicles, 
and to deliver road services including warnings and traffic 
information to users in the vehicles. 

Extensive research efforts have been made by both industry 
and academia to investigate key issues in VANETs[5], [6], 
[7], with security and privacy preservation as two primary 
concerns[10], [11], [12], [13], [14], [15], [16], [17], [18], 
[8], [9]. Without security and privacy guarantees, attacks may 
jeopardize the VANET's benefits: a malicious attack, such as a 
modification and replay attack on the disseminated messages, 
could be fatal to some users. Meanwhile, an attacker could 
trace the locations of the vehicles and obtain their moving 
patterns if user-related private information has not been pro- 



tected. Hence, providing privacy -preserving safety message 1 
authentication has become a fundamental design requirement 
in securing VANETs. 

The goals of privacy and liability are conflicting. On the 
one hand, a well-behaved OBU is willing to offer as much 
local information as possible to neighboring OBUs and RSUs 
to create a safer driving environment on condition that its 
privacy has been well protected. On the other hand, a malicious 
OBU may abuse the privacy protection mechanism. This 
may particularly happen when a driver who is involved in 
a dispute event of safety messages may attempt to avoid 
legal responsibility. Therefore, the privacy-preserving message 
authentication in VANETs should be conditional, such that a 
trusted authority can disclose the real identity of targeted OBU 
in case of a traffic event dispute, even though the OBU itself 
is not traceable by the public. 

The existing security and privacy solutions for VANETs can 
mainly be categorized into three classes. The first one is based 
on a large number of anonymous keys (denoted as LAB in the 
following) [ 1 1], [14], the second one is based on a pure group 
signature (denoted as GSB in the following) [12], [13], while 
the last one employs the RSU to assist vehicle in authenticating 
messages (denoted as RSUB in the following) [15], [16], [17]. 
Though all of these solutions can meet the conditional privacy 
requirement, they face obstacles in real deployments. First, 
the LAB scheme is not efficient in terms of used storage and 
dispute solving. Second, although the GSB scheme does not 
require each vehicle to store a large number of anonymous 
keys, the time for message verification grows linearly with the 
number of revoked vehicles. Worse, the unrevoked vehicles 
have to update their private key and group public key with 
the group manager when the number of revoked vehicles 
surpasses some predefined threshold. This problem may be 
fatal for VANET as they scale to cover all vehicles in a 
country/continent. 2 . Finally, the RSUB protocol achieves much 
better efficiency than the previous ones, however, the cost of 
deploying RSUs is high thus only some of the roads can 

'A safety message reports on the state of the sender vehicle, e.g., its 
location, speed, heading, etc. 

2 At the moment, there are in the order of some hundreds of millions of 
cars registered world wide 



be covered especially at the initial deployment stage of the 
VANET. Therefore, this solution may not be feasible in case 
of the absence of the RSU. 

To address these issues, this paper proposes an effi- 
cient and spontaneous conditional privacy preservation pro- 
tocol for intervehicle communication based on revocable ring 
signature [34]. Compared to previous message-authentication 
schemes[10], [11], [12], [13], [14], [15], [16], [17], [18], 
[8], [9], our scheme has the following unparalleled features: 
(1) Conditional privacy: Using the revocable ring signature 
to secure the intervehicle communication, enables preserving 
privacy regarding user identity and location of the vehicle, 
and the identities of the target vehicles can be only revealed 
by the trusted authority; (2) Efficiency. The proposed protocol 
can efficiently deal with a growing revocation list instead of 
relying on a large storage space at each vehicle or updating the 
group public key and private key at all unrevoked vehicles; (3) 
Spontaneity: The proposed protocol does not employ RSUs to 
assist vehicles in authenticating messages while providing fast 
message authentication and verification and an efficient con- 
ditional privacy tracking mechanism. We believe this protocol 
is an excellent candidate for the future VANETs. 

The remainder of this paper is organized as follows. Section 
II surveys the related work. Section III presents the problem 
formulation, system architecture, and design objectives. Sec- 
tion IV details the proposed security protocol, followed by the 
security analysis and the performance analysis in Section V 
and Section VI, respectively. Section VII concludes the paper. 

II. Background and Related Work 

A. System Model 

The considered system includes two types of entities: the 
Transportation Regulation Center (TRC), and the moving 
vehicles equipped with OBUs. 

• OBU: All vehicles need to be registered with the TRC and 
preloaded with public system parameters and their own 
private key before the vehicle can join the VANETs. The 
use of secret information such as private keys generates 
the need for a tamper-proof device in each vehicle. The 
access to this device is restricted to authorized parties. 
OBUs are mobile and moving most of the time. When the 
OBUs are on the road, they regularly broadcast routine 
safety messages, such as position, current time, direction, 
speed, traffic conditions, traffic events, to help drivers 
get a better awareness of their environment and take 
early action to respond to an abnormal situation (Fig. 1). 
Compared with the RSUs, the population of OBUs in the 
system could be up to millions, whereas the number of 
RSUs is at most tens of thousands based on the national 
infrastructure construction. 

• TRC: TRC is in charge of the registration all OBUs each 
vehicle is equipped with. The TRC can reveal the real 
identity of a safety message sender whenever there is 
a situation where the involved vehicles' IDs need to be 
revealed. The TRC has sufficient computation and storage 
capability, and is fully trusted by all parties in the system. 




Fig. 1. System model: Road Emergency Operation under VANET 

Unlike other schemes, our solution does not employ RSUs. 
The network dynamics are characterized by quasi-permanent 
mobility, high speeds, and (in most cases) short connection 
times between neighbors. The medium used for communica- 
tions between neighboring OBUs is 5.9 GHz Dedicated Short 
Range Communication (DSRC)[21] IEEE 802.1 lp. 

B. Related Work 

Many studies have been reported on the security and 
privacy-preservation issues for VANETsflO], [11], [12], [13], 
[14], [15], [16], [17], [18], [8], [9]. Xi et aim, [9] in- 
troduced a random key-set-based authentication protocol to 
preserve the vehicle's privacy. However, they only provide 
the unconditional anonymity without an effective and efficient 
tracking mechanism. To achieve both message authentication 
and conditional anonymity, Ray a et a/. [10], [11] introduced 
a security protocol in VANETs, namely LAB protocol, by 
requiring a large number of private keys and corresponding 
anonymous certificates to be installed at each vehicle. A 
vehicle randomly selects one of these anonymous certificates 
and uses its corresponding private key to sign each launched 
message. The other vehicles use the public key of the sender 
enclosed in the anonymous certificate to authenticate the 
source of the message. These anonymous certificates are 
generated by employing the pseudo-identity of the vehicles, 
instead of taking any real identity information of the drivers. 
Each certificate has a short life time to meet the drivers 'privacy 
requirement. Although LAB protocol can effectively meet 
the conditional privacy requirement, it is inefficient and may 
become a scalability bottleneck. Because sufficient numbers 
of certificates must be issued for each vehicle to maintain 
anonymity over a significant period of time. As a result, the 
certificate database to be searched by an authority in order to 
match a compromised certificate to its owners identity is huge. 

Subsequently, Lin et al. [14] developed a time-efficient 
and secure vehicular communication scheme (TSVC) based 
on the TESLA (Timed Efficient Stream Loss-tolerant 
Authentication) [22]. With TSVC, a vehicle first broadcasts a 



commitment of hash chain to its neighbors and then uses the 
elements of the hash chain to generate a message authentica- 
tion code (MAC) with which other neighbors can authenticate 
this vehicles' following messages. Because of the fast speed 
of MAC verification, the communication and computation 
overhead of TSVC has been reduced significantly. However, 
TSVC also requires a huge set of anonymous public/private 
key pairs as well as their corresponding public key certificates 
to be preloaded in each vehicle. Furthermore, TSVC is not 
robust when the dynamics of traffic becomes large since a 
vehicle should broadcast its key chain commitment much more 
frequently. 

Lin et a/.[12], [13] proposed a security protocol, i.e. GSB 
protocol, based on the group signature[28]. With GSB, only a 
private key and the group public key are stored in the vehicle, 
and the messages are signed according to the group signature 
scheme without revealing any identity information to the 
public. This assures that the trusted authority is equipped with 
the capability of exposing the identity of a sender. However, 
the time for safety message verification grows linearly with the 
number of revoked vehicles in the revocation list. Hence, each 
vehicle has to spend more time on safety message verification. 
Furthermore, when the number of revoked vehicles in the 
revocation list is larger than some threshold, the protocol 
requires every remaining vehicle to calculate a new private key 
and group public key based on the exhaustive list of revoked 
vehicles whenever a vehicle is revoked. The means for system 
parameters to be effectively updated to remaining vehicles, in 
a reliable and scalable fashion, is not explored and represents 
an important obstacle to the success of this scheme. 

Recently, Zhang et a/. [15], [16] proposed a novel RSU- 
aided message authentication scheme, that is RSUB, which 
makes RSUs responsible for verifying the authenticity of 
messages sent from vehicles and for notifying the results back 
to vehicles. In this scheme, the vehicles have lower computa- 
tion and communication overhead than the previous reported 
schemes. Independently, Lu et al. [17] introduced an efficient 
conditional privacy preservation protocol in VANETs by the 
generation of on-the-fly short-time anonymous keys between 
vehicles and RSUs, which also can provide fast anonymous 
authentication and privacy tracking. Both of these schemes 
explore an important feature of VANETs by employing RSUs 
to assist vehicles in authenticating messages. However, RSUs 
may not cover all the roads, especially in the initial VANETs 
deployment stage, or due to the physical damage of some 
RSUs, or simply for economic considerations. 

III. Preliminaries 

A. Objectives 

To avoid reinventing the wheel, we refer the readers to other 
works [12], [11] for a full discussion of the attacker model. In 
the context of this work, we focus on the following security 
objectives. 

1) Efficient anonymous authentication of safety messages: 
The proposed scheme should provide an efficient and 



anonymous message authentication mechanism. First, all 
accepted messages should be delivered unaltered, and 
the origin of the messages should be authenticated to 
guard against impersonation attacks. Meanwhile, from 
the perspective of vehicle owners, it may not be accept- 
able to leak personal information, including identity and 
location, while authenticating messages. Therefore, pro- 
viding a secure yet anonymous message authentication 
is critical to the applicability of VANETs. Furthermore, 
the proposed scheme should be efficient in terms of 
fast verification on the safety messages and minimal 
anonymous keys storage at OBUs. 

2) Efficient tracking of the source of a disputed safety 
message: An important and challenging issue in these 
conditions is enabling TRC to retrieve a vehicle's real 
identity from its pseudo identity when a signature is 
in dispute or when the content of a message is bogus. 
Otherwise, anonymous authentication only can prevent 
an outside attack, but cannot deal with an inside one. 
That is to say, an insider can launch a bogus message 
spoofing attack or an impersonation attack successfully 
if the identity of the message sender can not be traced by 
the authorities. So it is necessary to provide traceability 
for the safety message to prevent the inside attack, oth- 
erwise concerns about the security may prevent vehicle 
owners from joining this system. 

3) Multilevel Anonymity [8]: Privacy is a user-specific re- 
quirement and some users may be more serious about 
their privacy than others. Thus, it is noted that the 
proposed protocol should support multiple anonymity 
levels, and each vehicle should be allowed to choose 
its own anonymity level. The authentication protocol 
should provide a tradeoff between the anonymity level 
and resource utilization. 



B. Bilinear Maps 

Since bilinear maps [23] are the basis of our proposed 
scheme, we briefly introduce them here. 

Let Gi and G2 be two cyclic groups of prime order q. Let 
P be a generator of Gi. Assume that the discrete logarithm 
problem in both Gi and G2 is hard. Suppose there exists a 
computable bilinear map e such that e : Gi x Gi — > G2 with 
the following properties: 

1) Bilinearity: For all Pi,P 2 e Gi, and a, b e Z g , 
e{aP u bP 2 )=e{P u P 2 ) ah . 

2) Non-degeneracy: e(P,P) 7^ 1g 2 - 

Such an admissible bilinear map e can be constructed 
by the modified Weil or Tate pairing on elliptic curves. 
For example, the Tate pairing on MNT curves [24] gives the 
efficient implementation, and the representations of Gi can be 
expressed in 161 bits when the order q is a 160-bit prime. By 
this construction, the discrete logarithm problem in Gi can 
reach 80-bit security level. 



C. Ring Signature 

The ring signature scheme, introduced by Rivest, Shamir 
and Tauman[26], is characterized by two main properties: 
anonymity and spontaneity. Anonymity in ring signature 
means 1-out-of-n signer verifiability, which enables the signer 
to keep anonymous in these "rings" of diverse signers. Spon- 
taneity is a property which makes the distinction between ring 
signatures and group signatures [27], [28]. Group signatures 
allow the anonymity of a real signer in a group to be revoked 
by a trusted party called group manager. It also gives the group 
manager the absolute power of controlling the formation of the 
group. The ring signature, on the other hand, does not allow 
anyone to revoke the signer anonymity, while allowing the 
real signer to form a ring arbitrarily without being controlled 
by any other party. Since Rivest el al.'s scheme, many ring 
signature schemes have been proposed[29], [30], [31], [32], 
[33]. 

Recently, Liu et al.[34] have introduced a new variant for 
the ring signature, called revocable ring signature. This scheme 
allows a real signer to form a ring arbitrarily while allowing 
a set of authorities to revoke the anonymity of the real signer. 
In other words, the real signer will be responsible for what 
has signed as the anonymity is revocable by authorities while 
the real signer still has the freedom on ring formation. We 
use this scheme as the basis for our efficient and spontaneous 
conditional privacy-preservation protocol. 

IV. Efficient and Spontaneous Vehicular 
Communications Scheme 

This section describes in detail our efficient and spontaneous 
privacy-preserving protocol for VANET. Each vehicle dynam- 
ically collects the public keys of other vehicles it encounters 
during its journey. Noted that this set of public keys keeps 
changing over time. When the OBU wants to send a message, 
it uses these public keys as its own group members to generate 
the revocable ring signature. Furthermore, the identity of the 
sender can only be recovered by the trusted authority. 

The proposed scheme includes the following four phases: 
system initialization, OBU safety message generation and 
sending, OBU safety message verification, and OBU fast 
tracking algorithm. The notation used throughout this paper 
is listed in Table I. 

A. System Initialization 

Firstly, as described in section II- A, we assume each vehicle 
is equipped with a tamper-proof device, which is secure 
against any compromise attempt in any circumstance. With 
the tamper-proof device on vehicles, an adversary cannot 
extract any data stored in the device including key material, 
data, and codes [11], [18]. We assume that there is a trusted 
Transportation Regulation Center (TRC) which is in charge 
of checking the vehicle's identity, and generating and pre- 
distributing the private keys of the vehicles. Prior to the 
network deployment, the TRC sets up the system parameters 
for each OBU as follows: 



TABLE I 
Notations 



Notations 


Descriptions 


TRC: 


Transportation Regulation Center 


RL: 


Revocation List 


V t : 


The ith vehicle 




two cyclic groups of same order q 


P: 


The generator of Gi 


til L>i . 


The real identity of the vehicle Vi 


ID, : 


The pseudo-identity of the vehicle V, 


M : 


A message sent by the vehicle Vi 


Xi . 


The private key of the vehicle Vi 


yt = XiP: 


The corresponding public key of the vehicle Vi 


X TRC- 


The private key of the TRC 


Vtrc = x TRC P-- 


The corresponding public key of the TRC 


«(•): 


A hash function such as H : {0, 1}* — > Z g 


a || 6 


String concatenation of a and b 



• Let Gi, G2 be two cyclic groups of same order q. Let 
e : Gi x Gi — > G 2 be a bilinear map. 

• The TRC first randomly chooses xtrc £r as its 
private key, and computes utrc = xtrcP as its public 
key. The TRC also chooses a secure cryptographic hash 
function H : {0, 1}* -> Z q . 

• The TRC generates a public and private key pair (xi,yi) 
for each vehicle Vi with real identity RIDi as fol- 
lows: By using Xtrc, the TRC first computes Xi = 
H(xTRC,RIDi) E Zq, and then sets ?/, = X{P G Gi. In 
the end, the TRC stores the (yi,RIDi) in its records. 

• Each vehicle is preloaded with the public parameters 
{G\,G2,q, Vtrc > W}. In addition, the tamper-proof de- 
vice of each vehicle is preloaded with its private/public 
key pairs (xi,yi) and corresponding anonymous cer- 
tificates (these certificates are generated by taking the 
vehicle's pseudo-identity IDi). Finally, the vehicle will 
preload the revocation list (RL) from the TRC. 

B. OBU Safety Message Generation 

Vehicle V n signs the message M before sending it out. 
Suppose S = {y\, ■ ■ ■ , y n } is the set of public keys collected 
by vehicle V n and it defines the ring of unrevoked public 
keys. Note that the public key set S, collected and stored 
temporarily by V n , is dynamic. We assume that all public 
keys y i7 1 < i < n and their corresponding private keys 
Xi's are generated by TRC, and it (1 < ir < n) is the index 
of the actual message sender. In other words, as travels 
through the road network, the set of public keys collected by 
it keeps changing over time. Otherwise, a unique set of public 
keys used by a vehicle may enable the adversary to infer 
its traveling trajectory. The signature generation algorithm 
Sig(S } XTT,yTRC, M) is carried out as follows. 

1) Randomly select rGjjZ, and compute R = rP. 

2) For y T RC, compute E TRC = e(y^,y TRC ) r - 

3) Generate a non-interactive proof SPK(1) as follows: 
SPK{a : {E TRC = e(R,y TRC ) a } A{ V Vi = 

i€[l,n] 

aP}}(M). The signature a of M with respect to S 
and yTRC is (R,Etrc) an d the transcript of SPK(1). 



For clear presentation, we divide SPK(1) into two compo- 
nents: 



SPK{a:E T RC = e(R,y T Rc) a }(M), (la) 



SPK{a: \/ yi = aP}(M). 

i€[l,n] 

To generate a transcript of SPK(la), given 
Etrc, R,Vtrc, the actual message sender indexed by tt 
proves the knowledge of x^ such that Etrc = VtrcY' 
by releasing (s, c) as the transcript such that 

c = H(y T RC II i? II ^tkc II e(R,y T Rc) s E TRC \\ M) 

This can be done by randomly picking I Er 7L q and 
computing 

c = H(y T RC || R || #Ti?c || e(R,y T Rc) 1 \\ M) 

and then setting s = I — cx^ mod q. 

To generate the transcript of SPK(lb), given 5, the actual 
message sender indexed by tt, for some 1 < tt < n, proves 
the knowledge of i, out of n discrete logarithms x i7 where 
yi = XiP, for 1 < i < n, without revealing the value of n. 
This can be done by releasing (s\, ■ ■ ■ , s n , c\, ■ ■ ■ , c„) as the 
transcript such that c = Y^i=i c « m °d q and 

c = H(S || Sl P + c m || • • • || s n P + c n y n || M). 

To generate this transcript, the actual message sender first 
picks randomly I Er Z 9 and Si,Ci Er Z q for 1 < i < n, 
i 7^ 7r, then computes 

c - H(S || siP + c lVl || • • • || s v -tP + c^-i^-i || ZP || 
s^+iP + c^+iy^+i || • • • || s„P + c„y„ || M) 

and finds c^ such that Co = c\ + ■ ■ ■ + c n mod q. Finally 
the actual message sender sets s n = I — c^x^ mod q. 

Now we combine the constructions of SPK(la) and 
SPK(\b) together. First, the actual message sender randomly 
picks Er 7L q and Si,Ci Er Z q for 1 < i < n, i ^ tt, 
then computes 

c = H(S\\y T Rc\\R\\E TRC \\e(R,y TR c) h || 

SlP + CiJ/i || • • • || S^-iP + Cr-iy^-i || Z 2 P || 
s^+iP + c^+iy^+i || • • • || s n P + c n y n \\ M). 

After that, the actual message sender sets s = l\ — cx n mod 
q, finds c w such that c = c\ + ■ ■ ■ + c n mod q, and sets 
Stt = h — c^x^ mod q. The transcript of SPK{1) is therefore 

(s, Si, ,s n ,ci,'-- , c n ). 



C. Message Verification 

Once a message is received, the receiving vehicle first 
checks if the RL f] S = 0. If so, the receiver performs 
signature verification by verifying of SPK{\) as follows: 

n 

5> I H{S\\y T Rc\\R\\E T Rc\\ 

eiR^TRcYE^ ' || Sl P + c iyi || 
•••II s n P + c n y n || M). 

After that, the receiving vehicle updates its own public key 
set by randomly choosing public keys from S. 

D. OBU fast tracing 

A membership tracing operation is performed when solving 
a dispute, where the real ID of the signature generator is 
desired. The TRC first checks the validity of the signature 
and then uses its private key xtrc and determines if 

E TRC = e(yi,R) XTRC 

for some i, 1 < i < n. 

If the equation holds at, say when i = tt, then the TRC 
looks up the record (y v , RID V ) to find the corresponding 
identity RID n meaning that vehicle with identity RID n is 
the actual message generator. The TRC then broadcasts the 
(t/jr, RID v) to all OBUs and each OBU adds the y^ into his 
local revocation list (RL). 

V. Security Analysis 

We analyze the security of the proposed scheme in terms 
of the following four aspects: message authentication, user 
identity privacy preservation, traceability by the TRC, and 
spontaneity of the signature generator. 

• Message authentication. Message authentication is the 
basic security requirement in vehicular communications. 
In the proposed scheme, the ring signature can only be 
generated by the valid ring members. Without knowing 
any of the discrete logarithms x% of the public keys yi in 
the ring S, it is infeasible to forge a valid ring signature. 

• Identity privacy preservation. Given a valid ring signature 
a of some message, it is computationally difficult to 
identify the actual signer by any participant in the system 
except the TRC. If there exists an algorithm which breaks 
the signer anonymity of the construction in Section IV, 
then the Indistinguishability Based Bilinear Decisional 
Diffie-Hellman assumption would be contradicted[34]. 

• Traceability. Given the signature, only the TRC who 
knows xtrc, can trace the real identity of a message 
sender using the OBU tracking procedure described in 
section IV-D. Besides, the tracing process carried by the 
TRC does not require any interaction with the message 
generator. Instead, the revocable ring signature itself 
provides the authorship information to TRC. Therefore, 
once a signature is in dispute, the TRC has the ability to 



trace the disputed message, in which the traceability can 
be well satisfied. 
> Spontaneity. Note that the actual message generator can 
specify the ring (a set of vehicles) required to generate 
the ring signature arbitrarily based on the public keys 
of vehicles it encountered in the past without any new 
interaction with any other vehicles or RSUs in the system. 
Compared with the schemes [15], [16], [17], our scheme 
does not use the RSUs to assist vehicles in authenticating 
messages. 

« Multilevel privacy. Each vehicle can select the degree of 
privacy that fits its own requirements by choosing the 
number of public keys used in the message generation 
phase. This way, each vehicle can achieve a proper bal- 
ance between privacy protection and resource usage. The 
multilevel privacy of our scheme gives users flexibility in 
defining their privacy requirements. 

VI. Performance Evaluation 

This section evaluates the performance of the proposed 
scheme in terms of storage requirements and computational 
overheads. 

A. Storage Overheads 

This subsection compares the OBU storage overhead of our 
protocol with three previously proposed protocols: LAB[11], 
RSUB[17] and GSB[12]. In the LAB protocol, each OBU 
stores not only its own N k ey anonymous key pairs, but also 
all the anonymous public keys and their certificates in the 
revocation list (the notations adopted in the description are 
listed in Table II). Let each key (with its certificate) occupy 
one storage unit. If there are to OBUs revoked, then the scale 
of revoked anonymous public keys is to ■ N k ey - Thus, the 
total storage overhead in LAB protocol (denoted as Slab) 
is Slab = [m + l)N okey . Assuming that N okey = 10 4 , 
we have Slab = (to + 1)10 4 . Both in our protocol and 
GSB protocol, each OBU stores one private key issued by the 
trusted party, and m revoked public keys in the revocation list. 
Let Sqsb and Srrsb denote the total storage unit of GSB 
protocol and our protocol (Revocable Ring Signature Based 
protocol) respectively. Thus, Sgsb — Srrsb = to+1. In the 
RSUB protocol[17], each OBU stores one private key issued 
by the trusted party, and a short-time key pair together with 
its anonymous certificate issued by the RSU. Since the OBU 
does not need to store the revocation list, the storage overhead 
in RSUB protocol is only two units, denoted as Srsub = 2. 

Fig. 2 shows the storage units of LAB protocol, GSB proto- 
col, RSUB protocol and our protocol as m increases. Observe 
that the OBU storage overhead in LAB protocol linearly 
increases with to, and is much larger than that in the other 
three protocols. The storage overhead of GSB protocol and 
our protocol is still small in spite of its linear increase with 
to. Though the storage overhead in RSUB protocol is the most 
efficient, this scheme requires the RSUs, instead of OBUs, to 
store the anonymous key pairs, which, nonetheless, is not the 
case in the other schemes. 
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Fig. 2. Each OBU storage overhead of Raya's, Lin's, Lu's and our protocol 
in different m revoked OBUs, m varying from 1 to 100 



TABLE II 
Notations and Rough Scale 





Descriptions 


Scale 


N i. ■ 


The number of OBUs in the system 


10' 


^okey • 


The number of anonymous keys owned by one OBU 


10 4 


rsu '• 


The number of RSUs in the system 


10 4 


Nrkey • 


The number of anonymous keys processed by one RSU 


10 4 



B. Message Verification Overhead 

This subsection compares the OBU computation overhead 
for the proposed, RSUB and GSB protocols. Since the point 
multiplication in G and pairing computations dominates each 
party's computation overhead, we consider only these opera- 
tions in the following estimation. Table III gives the measured 
processing time (in milliseconds) for an MNT curve[24] of 
embedding degree k = 6 and 160-bit q. The implementation 
was executed on an Intel pentium IV 3.0 GHz machine[25]. 

In our proposed protocol, verifying a message, requires 
Tpair + (2n + l)T pmu i, where n is the cardinality of the ring, 
as shown in section IV-C. Let Trrsb be the required time 
cost in our protocol, then we have: 

Trrsb = T pair + (2n + l)T pmul = 4.5 + (2n + 1) x 0.6(tos) 

In the GSB protocol, the time cost to verify a message is 
related to the number of revoked OBUs in the revocation list. 
Thus the required time is: 

T GS b = 6T pmu i + (A+m)T pair = 6 x 0.6+ (4 + to) x 4.5(tos) 



In the RSUB protocol, to verify a message, it requires 



3T, 



pair 



11T, 



pinul ■ 



Let Trsub be the required time cost in 



RSUB's protocol, then we have: 

Trsub = 3T pair + UT pmui = 3x4.5 + 11 x 0.6 = 20.1(tos) 
Let 

Trg 



Trrsb 



Tgsb 



TABLE III 

Cryptography Operation' s Execution Time 



Descriptions 



Execution Time 



Tpmul The time for one point multiplication in G 0.6 ms 
Tpair The time for one pairing operation 4.5 ms 
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Fig. 3. Time efficiency ratio Trq = Trrsb/Tgsb with a number of m 
revoked OBUs, m varying from 1 to 100. 



be the cost ratio between our proposed protocol and the GSB 
protocol. Fig. 3 plots the time cost ratio Trc when m OBUs 
are revoked, as m ranges from 1 to 100. We observe that the 
time cost ratio Trg decreases as m increases, which demon- 
strates the much better efficiency of our proposed protocol 
than the GSB protocol especially when the revocation list is 
large. Note that n can be determined by the user according to 
its own computation capacity and privacy requirements. 
Let 

Trrsb 



T, 



RR 



Trsub 



be the cost ratio between our proposed protocol and RSUB 
protocol. Fig.4 plots the time cost ratio Trr when n public 
key pairs are employed, where the number of n ranges from 
1 to 50. We observe that the time cost ratio T&r increases as 
n increases, which demonstrates our protocol is slightly more 
expensive than RSUB protocol. However, our protocol does 
not employ the roadside infrastructures to communicate with 
the OBU as in RSUB protocol, which will cause additional 
communication overhead. 

C. Trusted Authority Computation Complexity on OBU Trac- 
ing 

In this subsection, we evaluate the trusted authority com- 
putation complexity on OBU tracing algorithm. For fair com- 
parison, we use the same linear and binary search algorithms 
in all of these protocols. We use the same notations as in 
the previous sections. Table IV presents the computation com- 
plexity for the four protocols. The trusted authority tracking 
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Fig. 4. Time efficiency ratio Trr = Thrsb /Trsu b with a number of 
n public key pairs, n varying from 1 to 50. 



algorithm in our proposed protocol and GSB protocol has the 
better efficiency than the other two protocols. 

TABLE IV 

Comparison of Computation Complexity 



Protocol 


Linear search 


Binary search 


LAB: 


0{N obu ■ N okey ) 


0{log{N obu ■ N okey )) 


GSB: 


0(N obu ) 


0(log{N obu )) 


RSUB: 


0(N rS u + N rkey ) 


0(log(N r3u ■ N r key)) 


RRSB: 


0(N obu ) 


0{log{N obu )) 




VII. 


Summary 



We have presented an efficient, spontaneous, conditional 
privacy preserving protocol based on the revocable ring 
signature and aimed for secure vehicular communications. 
We demonstrate that proposed protocol is not only provides 
conditional privacy, a critical requirement in VANETs, but 
also able to improve efficiency in terms of the number of 
keys stored at each vehicle, identity tracking in case of a 
dispute, and, most importantly message authentication and 
verification. Meanwhile, our proposed solution can operate 
independently: does not require support from the roadside 
infrastructure which, at least in the initial deployment stages, 
may not cover all road segments. 
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